Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

kxvo.exe PLEASE HELP [RESOLVED]


  • This topic is locked This topic is locked

#91
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 02, 2008 9:51:12 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/04/2008
Kaspersky Anti-Virus database records: 676825
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49754
Number of viruses found: 4
Number of infected objects: 55
Number of suspicious objects: 0
Duration of the scan process: 01:06:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masdata.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masevents.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\history.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\key3.db Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ruberc\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ruberc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\Cache\7CD28A6Ed01 Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Mozilla\Firefox\Profiles\fxb8jhig.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\History\History.IE5\MSHist012008040220080403\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Temp\p8rjys.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\Documents and Settings\Ruberc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ruberc\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000341.dll.mwt Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000367.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000422.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000423.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000424.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000428.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000592.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000593.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000594.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000618.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000619.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000620.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000638.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000639.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000640.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000671.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000672.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000676.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000687.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000688.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000689.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000700.cmd Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000709.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000710.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000711.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000736.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000765.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000766.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000768.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000778.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000779.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000780.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000787.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000788.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000799.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000800.cmd Infected: Trojan.Win32.Vaklik.yf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000804.exe Infected: Trojan.Win32.Vaklik.yf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\change.log Object is locked skipped
C:\vuts0e.cmd.mwt Infected: Packed.Win32.PolyCrypt.h skipped
C:\w00g.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\sqlite_5YMaoNI33eDbufj Object is locked skipped
C:\WINDOWS\Temp\sqlite_bNIQD9jSGKAlfcD Object is locked skipped
C:\WINDOWS\Temp\sqlite_zkYRmes1e0yMv0j Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000426.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000430.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000596.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000622.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000642.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000678.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000691.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000703.cmd Infected: Packed.Win32.PolyCrypt.h skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000713.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000738.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000770.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000782.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000802.cmd Infected: Trojan.Win32.Vaklik.yf skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\change.log Object is locked skipped
D:\vuts0e.cmd.mwt Infected: Packed.Win32.PolyCrypt.h skipped
D:\w00g.exe Infected: Worm.Win32.AutoRun.dem skipped

Scan process completed.
  • 0

Advertisements


#92
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I would like for you to submit some files for me to analyze.
Now: using Windows Explorer (to get there right-click your Start button and go to "Explore")
Then navigate to these locations and upload the following files.

C:\w00g.exe
C:\vuts0e.cmd.mwt

Click Here to upload the files please.
=======================
After doing that :
Then please do the following:
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
D:\w00g.exe 
D:\vuts0e.cmd.mwt
C:\Documents and Settings\Ruberc\Local Settings\Temp\p8rjys.dll 
C:\vuts0e.cmd.mwt   
C:\w00g.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Dss log .
  • 0

#93
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Virus symptoms like the inability to show hidden files come back with these viruses. I already submitted the viruses in your file submission link. Also, I noticed that in the presence of these virus, when I type "yahoo" in mozilla it directs to download an application file instead of directing it to yahoo.com.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Apr 02 19:29:47 2008

19:29:47: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "D:\w00g.exe" deleted successfully.
File "D:\vuts0e.cmd.mwt" deleted successfully.
File "C:\Documents and Settings\Ruberc\Local Settings\Temp\p8rjys.dll" deleted successfully.
File "C:\vuts0e.cmd.mwt" deleted successfully.
File "C:\w00g.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Deckard's System Scanner v20071014.68
Run by Ruberc on 2008-04-02 19:35:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Ruberc.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:03 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ruberc\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ruberc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 6631 bytes

-- Files created between 2008-03-02 and 2008-04-02 -----------------------------

2008-04-01 19:16:23 160055 -r-hs---- C:\dhv2u8.cmd
2008-03-31 11:04:22 0 d-------- C:\Downloads
2008-03-31 11:04:22 0 d-------- C:\Bases
2008-03-31 11:02:48 0 d-------- C:\Kaspersky
2008-03-29 23:47:58 0 d-------- C:\WINDOWS\network diagnostic
2008-03-29 23:15:54 92160 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-03-29 07:06:08 92160 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-03-29 07:06:07 160055 -r-hs---- C:\WINDOWS\system32\kxvo.exe
2008-03-27 11:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-27 11:24:36 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-24 13:56:23 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-24 13:56:11 0 d-------- C:\Program Files\Saxton NCLEX-RN® 18e
2008-03-16 19:08:19 0 d-------- C:\Documents and Settings\russ\Application Data\PC Suite
2008-03-11 21:47:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-11 06:16:00 0 d-------- C:\Program Files\EPSON
2008-03-11 06:15:50 0 d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-10 00:14:04 0 d-------- C:\Program Files\Trend Micro
2008-03-07 16:26:29 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-03-27 19:51:19 0 d-------- C:\Program Files\Yahoo!
2008-03-24 21:36:06 0 d-------- C:\Program Files\QuickTime
2008-03-24 21:35:00 0 d-------- C:\Program Files\MSN Messenger
2008-03-24 21:29:14 0 d-------- C:\Program Files\Messenger
2008-03-24 21:28:37 0 d-------- C:\Program Files\iTunes
2008-03-08 17:45:21 0 d-------- C:\Program Files\Common Files
2008-03-04 18:43:12 2082 --a------ C:\WINDOWS\mozver.dat
2008-03-01 00:00:17 0 d-------- C:\Documents and Settings\Ruberc\Application Data\McAfee.com Personal Firewall
2008-02-28 21:51:11 0 d-------- C:\Documents and Settings\Ruberc\Application Data\Adobe
2008-02-26 18:43:39 8554 --a------ C:\logfile
2008-02-26 18:43:22 0 d-------- C:\Program Files\KODAK
2008-02-26 18:43:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-25 20:31:50 0 d-------- C:\Program Files\ArcSoft
2008-02-25 19:52:34 0 d-------- C:\Program Files\Common Files\KODAK
2008-02-24 10:10:48 0 d-------- C:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [04/20/2005 01:38 AM]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [04/20/2005 01:38 AM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 12:05 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [09/22/2005 06:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kxva"="C:\WINDOWS\system32\kxvo.exe" [04/01/2008 09:38 PM]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [03/23/2005 04:33 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:56 AM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 03:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 08/12/2004 08:11 PM 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva]
C:\WINDOWS\system32\kxvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
tp4ex.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
c:\progra~1\mcafee\MCAFEE~1\masalert.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}]
AutoRun\command- F:\w00g.exe
explore\Command- F:\w00g.exe
open\Command- F:\w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}]
AutoRun\command- G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}]
AutoRun\command- F:\w00g.exe
explore\Command- F:\w00g.exe
open\Command- F:\w00g.exe




-- End of Deckard's System Scanner: finished at 2008-04-02 19:37:02 ------------
  • 0

#94
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
This thing is being a Pita :)
==========================
I would like for you to download Combofix to your desktop.
from Here
DO not run it yet.
=============
Physically disconnect from the internet.
Then:
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
F:\w00g.exe
G:\USBNB.exe
C:\WINDOWS\system32\kxvo.exe
C:\WINDOWS\system32\fool0.dll
C:\WINDOWS\system32\fool1.dll
C:\dhv2u8.cmd
C:\WINDOWS\system32\ieso0.dll

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva

Registry Values to delete:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|kxva

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
=========================================================
Then Double click on Combofix to run it still being disconnected from the internet and then follow the prompts.
Do not mouse click on anything while Combofix is running as it may cause it to stall.
Please post the Combofix log,The avenger log and a new Hijackthis log
  • 0

#95
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Avenger failed to clean some registry files.


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:54:15 2008

18:54:11: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:54:15: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:54:27 2008

18:54:25: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:54:27: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:54:57 2008

18:54:55: Error: Invalid registry syntax in command:
"Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:54:57: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:55:38 2008

18:55:36: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:55:38: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:55:53 2008

18:55:51: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:55:53: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:56:14 2008

18:56:11: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:56:14: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Thu Apr 03 18:56:30 2008

18:56:17: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:56:19: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:56:20: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
18:56:27: Error: Invalid registry syntax in command:
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run|kxva"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry value deletion mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "F:\w00g.exe"
Deletion of file "F:\w00g.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open file "G:\USBNB.exe"
Deletion of file "G:\USBNB.exe" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist

File "C:\WINDOWS\system32\kxvo.exe" deleted successfully.
File "C:\WINDOWS\system32\fool0.dll" deleted successfully.
File "C:\WINDOWS\system32\fool1.dll" deleted successfully.
File "C:\dhv2u8.cmd" deleted successfully.
File "C:\WINDOWS\system32\ieso0.dll" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kxva" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
ComboFix 08-04-02.1 - Ruberc 2008-04-03 19:00:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.155 [GMT 8:00]
Running from: C:\Documents and Settings\Ruberc\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 18:47 . 2008-04-03 18:47 158,261 -r-hs---- C:\kso6.bat
2008-04-02 19:35 . 2008-04-02 19:35 <DIR> d-------- C:\Deckard
2008-03-31 13:29 . 2008-03-31 13:29 0 --a------ C:\23990098.$$$
2008-03-31 11:04 . 2008-03-31 11:25 <DIR> d-------- C:\Downloads
2008-03-31 11:04 . 2008-03-31 11:25 <DIR> d-------- C:\Bases
2008-03-31 11:02 . 2008-03-31 11:34 <DIR> d-------- C:\Kaspersky
2008-03-29 23:57 . 2007-12-07 10:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-29 23:57 . 2007-07-01 11:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-29 23:57 . 2007-07-01 11:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-29 23:57 . 2007-12-07 10:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-29 23:57 . 2007-12-07 10:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-29 23:57 . 2007-12-07 10:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-29 23:57 . 2007-12-07 10:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-29 23:57 . 2007-12-07 10:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-29 23:57 . 2007-12-06 19:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-27 11:24 . 2008-03-27 11:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-27 11:24 . 2008-03-27 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 20:42 . 2008-03-24 20:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-24 20:42 . 2008-03-24 20:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-24 13:56 . 2008-03-24 13:56 <DIR> d-------- C:\Program Files\Saxton NCLEX-RN® 18e
2008-03-24 13:56 . 2008-03-24 13:59 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-03-16 19:08 . 2008-03-16 19:08 <DIR> d-------- C:\Documents and Settings\russ\Application Data\PC Suite
2008-03-11 21:47 . 2008-03-11 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-11 06:16 . 2008-03-11 06:16 <DIR> d-------- C:\Program Files\EPSON
2008-03-11 06:15 . 2008-03-11 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-11 06:15 . 2008-03-11 06:15 25 --a------ C:\WINDOWS\CDEC90ASIA.ini
2008-03-11 06:06 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-11 06:06 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-10 00:14 . 2008-03-10 00:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 16:26 . 2008-03-27 09:43 <DIR> d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 11:51 --------- d-----w C:\Program Files\Yahoo!
2008-03-24 13:36 --------- d-----w C:\Program Files\QuickTime
2008-03-24 13:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-24 13:28 --------- d-----w C:\Program Files\iTunes
2008-02-29 16:00 --------- d-----w C:\Documents and Settings\Ruberc\Application Data\McAfee.com Personal Firewall
2008-02-26 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-26 10:43 --------- d-----w C:\Program Files\KODAK
2008-02-25 12:31 --------- d-----w C:\Program Files\ArcSoft
2008-02-25 11:52 --------- d-----w C:\Program Files\Common Files\KODAK
2008-02-24 02:10 --------- d-----w C:\Program Files\Common Files\Adobe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kxva"="C:\WINDOWS\system32\kxvo.exe" [ ]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-03-23 16:33 126976]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" [2004-08-25 05:00 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 01:38 110592]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 01:38 208896]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 20:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
--a------ 2005-04-20 01:38 20480 C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2005-04-20 01:38 396288 C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-03-31 09:30 1106944 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2004-11-24 02:10 212992 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2004-11-02 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2004-11-02 09:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 11:25 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-04-05 14:41 950272 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-03-23 16:33 126976 C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-03-23 15:47 1111040 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 22:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-03-22 09:39 167936 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-04-20 09:57 847872 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
--a------ 2005-03-18 03:07 745472 C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
--a------ 2005-03-18 03:07 86016 C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-08-06 08:27 860160 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-04-01 10:52 1368064 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2004-11-12 01:07 40960 C:\WINDOWS\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
-ra------ 2005-03-03 17:10 94208 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
--a------ 2004-02-04 18:39 897024 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
-ra------ 2004-10-28 03:50 94208 C:\WINDOWS\system32\tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 12:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
--a------ 2006-01-06 15:14 327680 c:\progra~1\mcafee\MCAFEE~1\masalert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 03:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 03:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2004-10-28 03:50]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 03:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}]
\Shell\AutoRun\command - F:\w00g.exe
\Shell\explore\Command - F:\w00g.exe
\Shell\open\Command - F:\w00g.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}]
\Shell\AutoRun\command - G:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}]
\Shell\AutoRun\command - F:\w00g.exe
\Shell\explore\Command - F:\w00g.exe
\Shell\open\Command - F:\w00g.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 08:09:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-06-20 09:48:35 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-02-18 22:06:39 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 19:03:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ARC = "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-04-03 19:04:54
ComboFix-quarantined-files.txt 2008-04-03 11:04:32
Pre-Run: 13,823,135,744 bytes free
Post-Run: 13,811,912,704 bytes free
.
2008-03-30 07:21:23 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:18 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 5940 bytes

Edited by amm007, 03 April 2008 - 05:07 AM.

  • 0

#96
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\kso6.bat
F:\w00g.exe
G:\USBNB.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kxva"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3244f700-b7bf-11dc-a8b1-000ae435643f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85af5a94-5ebf-11dc-a775-000ae435643f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bf3cab30-7408-11dc-a7c2-000ae435643f}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#97
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
ComboFix 08-04-02.1 - Ruberc 2008-04-04 9:50:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.154 [GMT 8:00]
Running from: C:\Documents and Settings\Ruberc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ruberc\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-03 18:47 . 2008-04-03 18:47 158,261 -r-hs---- C:\kso6.bat
2008-04-02 19:35 . 2008-04-02 19:35 <DIR> d-------- C:\Deckard
2008-03-31 13:29 . 2008-03-31 13:29 0 --a------ C:\23990098.$$$
2008-03-31 11:04 . 2008-03-31 11:25 <DIR> d-------- C:\Downloads
2008-03-31 11:04 . 2008-03-31 11:25 <DIR> d-------- C:\Bases
2008-03-31 11:02 . 2008-03-31 11:34 <DIR> d-------- C:\Kaspersky
2008-03-29 23:57 . 2007-12-07 10:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-29 23:57 . 2007-07-01 11:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-29 23:57 . 2007-07-01 11:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-29 23:57 . 2007-12-07 10:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-29 23:57 . 2007-12-07 10:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-29 23:57 . 2007-12-07 10:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-29 23:57 . 2007-12-07 10:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-29 23:57 . 2007-12-07 10:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-29 23:57 . 2007-12-06 19:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-27 11:24 . 2008-03-27 11:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-27 11:24 . 2008-03-27 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-24 20:42 . 2008-03-24 20:42 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-24 20:42 . 2008-03-24 20:42 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-24 13:56 . 2008-03-24 13:56 <DIR> d-------- C:\Program Files\Saxton NCLEX-RN® 18e
2008-03-24 13:56 . 2008-03-24 13:59 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-03-16 19:08 . 2008-03-16 19:08 <DIR> d-------- C:\Documents and Settings\russ\Application Data\PC Suite
2008-03-11 21:47 . 2008-03-11 21:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-11 06:16 . 2008-03-11 06:16 <DIR> d-------- C:\Program Files\EPSON
2008-03-11 06:15 . 2008-03-11 06:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-11 06:15 . 2008-03-11 06:15 25 --a------ C:\WINDOWS\CDEC90ASIA.ini
2008-03-11 06:06 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-03-11 06:06 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-03-10 00:14 . 2008-03-10 00:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-07 16:26 . 2008-03-27 09:43 <DIR> d-------- C:\Documents and Settings\Ruberc\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 11:51 --------- d-----w C:\Program Files\Yahoo!
2008-03-24 13:36 --------- d-----w C:\Program Files\QuickTime
2008-03-24 13:35 --------- d-----w C:\Program Files\MSN Messenger
2008-03-24 13:28 --------- d-----w C:\Program Files\iTunes
2008-02-29 16:00 --------- d-----w C:\Documents and Settings\Ruberc\Application Data\McAfee.com Personal Firewall
2008-02-26 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-26 10:43 --------- d-----w C:\Program Files\KODAK
2008-02-25 12:31 --------- d-----w C:\Program Files\ArcSoft
2008-02-25 11:52 --------- d-----w C:\Program Files\Common Files\KODAK
2008-02-24 02:10 --------- d-----w C:\Program Files\Common Files\Adobe
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-03-23 16:33 126976]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ARC"="C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" [2004-08-25 05:00 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 01:38 110592]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 01:38 208896]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 18:29 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2005-03-18 03:07 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 20:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Ruberc^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Ruberc\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
--a------ 2005-04-20 01:38 20480 C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2005-04-20 01:38 396288 C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-03-31 09:30 1106944 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
--------- 2004-11-24 02:10 212992 C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2004-11-02 08:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2004-11-02 09:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 11:25 257088 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a------ 2005-09-22 18:29 303104 c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2006-01-11 12:05 212992 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
--a------ 2005-04-05 14:41 950272 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
--a------ 2005-03-23 16:33 126976 C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
--a------ 2005-03-23 15:47 1111040 C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
--a------ 2005-08-11 22:02 53248 C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-03-22 09:39 167936 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-04-20 09:57 847872 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTRAY]
--a------ 2005-03-18 03:07 745472 C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLICON]
--a------ 2005-03-18 03:07 86016 C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2004-08-06 08:27 860160 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-04-01 10:52 1368064 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
--a------ 2004-11-12 01:07 40960 C:\WINDOWS\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
-ra------ 2005-03-03 17:10 94208 C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
--a------ 2004-02-04 18:39 897024 C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrackPointSrv]
-ra------ 2004-10-28 03:50 94208 C:\WINDOWS\system32\tp4serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
--a------ 2005-08-10 12:49 163840 C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
--a------ 2005-07-08 18:18 151552 C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_AntiSpyware]
--a------ 2006-01-06 15:14 327680 c:\progra~1\mcafee\MCAFEE~1\masalert.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 03:07]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 03:07]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2005-04-20 01:38]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINDOWS\system32\DRIVERS\tp4track.sys [2004-10-28 03:50]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 03:07]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 08:09:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-06-20 09:48:35 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2008-02-18 22:06:39 C:\WINDOWS\Tasks\McAfee AntiSpyware.job"
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 09:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
ARC = "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-04-04 9:55:15
ComboFix-quarantined-files.txt 2008-04-04 01:54:51
ComboFix2.txt 2008-04-03 11:04:55
Pre-Run: 13,811,044,352 bytes free
Post-Run: 13,801,304,064 bytes free
.
2008-03-30 07:21:23 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:41 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ARC] "C:\Program Files\McAfee\McAfee QuickClean\Uni.exe" /ARC:Boxing Manager Professional Edition 1.8.3
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Chessmaster Challenge\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Chessmaster Challenge\Images\armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINDOWS\system32\DRIVERS\dcfssvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 5898 bytes
  • 0

#98
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please go to Start> My COmputer then C:\

then open it up and delete this file>C:\kso6.bat

After that once more the kaspersy scan.
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#99
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
I was unable to find and delete kso6.bat. I'll post the kaspersky log soon.
  • 0

#100
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 04, 2008 1:14:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/04/2008
Kaspersky Anti-Virus database records: 680381
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 49469
Number of viruses found: 9
Number of infected objects: 106
Number of suspicious objects: 0
Duration of the scan process: 00:57:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masdata.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\AntiSpyware\Data\masevents.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Logs\Filtering.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruberc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ruberc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ruberc\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ruberc\ntuser.dat.LOG Object is locked skipped
C:\kso6.bat Infected: Trojan.Win32.Vaklik.yl skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000341.dll.mwt Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000367.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000422.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000423.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000424.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000428.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000592.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000593.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000594.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000618.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000619.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000620.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000638.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000639.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000640.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000671.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000672.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000676.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000687.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000688.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000689.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000700.cmd Infected: Packed.Win32.PolyCrypt.h skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000709.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000710.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000711.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000736.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000765.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000766.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000768.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000778.dll Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000779.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000780.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000787.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000788.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000798.dll Infected: Trojan-PSW.Win32.OnLineGames.yya skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000799.dll Infected: Trojan-PSW.Win32.OnLineGames.yrf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000800.cmd Infected: Trojan.Win32.Vaklik.yf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000804.exe Infected: Trojan.Win32.Vaklik.yf skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000818.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000820.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000829.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000830.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000834.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000842.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000843.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000844.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000854.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000855.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000856.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000866.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000867.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000869.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000888.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000916.exe Infected: Worm.Win32.AutoRun.dem skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000921.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000922.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000923.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000932.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000933.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000935.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000949.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000950.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000951.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000961.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000962.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000963.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000972.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000973.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000975.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000988.dll Infected: Trojan-PSW.Win32.OnLineGames.ywu skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000989.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000990.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000997.exe Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000998.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0001011.cmd Infected: Worm.Win32.AutoRun.dfc skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0001012.dll Infected: Worm.Win32.AutoRun.dfd skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0001015.exe Infected: Trojan.Win32.Vaklik.yl skipped
C:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\sqlite_EcNQCfXukJPoHP2 Object is locked skipped
C:\WINDOWS\Temp\sqlite_FpvjUkaaj3OrKdE Object is locked skipped
C:\WINDOWS\Temp\sqlite_LL80WMCm7J96jWJ Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\dhv2u8.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\kso6.bat Infected: Trojan.Win32.Vaklik.yl skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP2\A0000426.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000430.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP3\A0000596.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000622.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000642.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000678.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000691.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000703.cmd Infected: Packed.Win32.PolyCrypt.h skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP4\A0000713.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000738.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000770.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000782.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000802.cmd Infected: Trojan.Win32.Vaklik.yf skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000822.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000836.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000846.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000858.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP5\A0000871.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000890.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000917.exe Infected: Worm.Win32.AutoRun.dem skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000925.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000937.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000953.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000965.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000977.cmd Infected: Worm.Win32.AutoRun.dfc skipped
D:\System Volume Information\_restore{A0515764-FCD7-49DF-B1A0-2AC466CD1313}\RP6\A0000992.cmd Infected: Worm.Win32.AutoRun.dfc skipped

Scan process completed.
  • 0

Advertisements


#101
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\kso6.bat 
D:\dhv2u8.cmd 
D:\kso6.bat

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply.
=============================================================
Then I would like for you to run the MWav scan again update it before doing so please.

Post the Avenger log and the Mwav log and we will see what we see.
  • 0

#102
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\kso6.bat" deleted successfully.
File "D:\dhv2u8.cmd" deleted successfully.
File "D:\kso6.bat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#103
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok go ahead with the Mwav scan again and post that log please.
  • 0

#104
amm007

amm007

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 265 posts
There is no display in the virus log info window. Because mwav.log is big, here's the summary anyway:

Sat Apr 05 00:49:51 2008 => ***** Scanning complete. *****

Sat Apr 05 00:49:51 2008 => Total Number of Files Scanned: 50770
Sat Apr 05 00:49:51 2008 => Total Number of Virus(es) Found: 0
Sat Apr 05 00:49:51 2008 => Total Number of Disinfected Files: 0
Sat Apr 05 00:49:51 2008 => Total Number of Files Renamed: 0
Sat Apr 05 00:49:51 2008 => Total Number of Deleted Files: 0
Sat Apr 05 00:49:51 2008 => Total Number of Errors: 2
Sat Apr 05 00:49:51 2008 => Time Elapsed: 01:37:48
Sat Apr 05 00:49:51 2008 => Virus Database Date: 2008/04/04
Sat Apr 05 00:49:51 2008 => Virus Database Count: 681582

Sat Apr 05 00:49:51 2008 => Scan Completed.
  • 0

#105
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ok once more with this scan


Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as an html document button:
  • Save the file to your desktop.
  • Attach that information in your next post.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP